Skip to content

docs: update the GitHub Auth section #17769

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
May 29, 2025
Merged

docs: update the GitHub Auth section #17769

Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
e97a342
update docs
hugodutka May 12, 2025
10a130d
Merge branch 'main' into hugodutka/github-auth-org-docs
EdwardAngert May 28, 2025
87f5dfa
Apply suggestions from code review
EdwardAngert May 28, 2025
70c2548
reorganize github-auth
EdwardAngert May 28, 2025
bf646fe
reorganize github-auth
EdwardAngert May 28, 2025
e5c7ee3
Apply suggestions from code review
EdwardAngert May 29, 2025
cdf3d71
Merge branch 'main' into hugodutka/github-auth-org-docs
EdwardAngert May 29, 2025
cea427b
edit limit sign-ups step
EdwardAngert May 29, 2025
9bb8e5f
add step numbers
EdwardAngert May 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
reorganize github-auth
  • Loading branch information
@EdwardAngert
EdwardAngert committed May 28, 2025
commit bf646fe7ee7601b32900bbb85fe6262bec97ced3
64 changes: 34 additions & 30 deletions docs/admin/users/github-auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,46 +16,50 @@ to this data by administering the GitHub app.
## Default Configuration

> [!IMPORTANT]
> The default GitHub app requires [device flow](#device-flow) to authenticate.
> The default GitHub app grants Coder access to your organizations' GitHub data.
>
> This is enabled by default when using the default GitHub app.
> If you disable device flow using `CODER_OAUTH2_GITHUB_DEVICE_FLOW=false`, it will be ignored.
> For production environments, we strongly recommend that you
> [configure your own GitHub OAuth app](#step-1-configure-the-oauth-application-in-github)
> to ensure that your data is not shared with Coder (the company).

By default, only the admin user can sign up.
To allow additional users to sign up with GitHub, add the following environment variable:
To use the default configuration:

```env
CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS=true
```
1. [Install the GitHub app](https://github.com/apps/coder/installations/select_target)
in any GitHub organization that you want to use with Coder.

[Install the GitHub app](https://github.com/apps/coder/installations/select_target) in every GitHub organization that you need to limit sign ups to.
This will grant Coder, the company, access to your organizations' data as described in the installation flow.
In a production environment, we recommend configuring your own GitHub OAuth app as outlined further below, so all of your data is kept private.
The default GitHub app requires [device flow](#device-flow) to authenticate.
This is enabled by default when using the default GitHub app.
If you disable device flow using `CODER_OAUTH2_GITHUB_DEVICE_FLOW=false`, it will be ignored.

If you'd like to proceed with the default GitHub app, install it in the
organizations you want to limit sign ups to by visiting
[this page](https://github.com/apps/coder/installations/select_target) and set
the following environment variable:
1. By default, only the admin user can sign up.
To allow additional users to sign up with GitHub, add:

```env
CODER_OAUTH2_GITHUB_ALLOWED_ORGS="your-org"
```
```shell
CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS=true
```

1. **Configure Organization Restrictions (Optional)**
If you want to limit sign-ups to specific GitHub organizations, set:

For production deployments, we recommend configuring your own GitHub OAuth app
as outlined below. The default is automatically disabled if you configure your
own app or set:
```shell
CODER_OAUTH2_GITHUB_ALLOWED_ORGS="your-org"
```

```env
## Disable the Default GitHub App

You can disable the default GitHub app by [configuring your own app](#step-1-configure-the-oauth-application-in-github)
or by adding the following environment variable to your [Coder server configuration](../../reference/cli/server.md#options):

```shell
CODER_OAUTH2_GITHUB_DEFAULT_PROVIDER_ENABLE=false
```

> [!NOTE]
> After you disable the default GitHub provider with the setting above, the
> **Sign in with GitHub** button might still appear on your login page even though
> the authentication flow is disabled.
> After you disable the default GitHub provider, the **Sign in with GitHub** button
> might still appear on your login page even though the authentication flow is disabled.
>
> To completely hide the GitHub sign-in button, you must both disable the default
> provider and ensure you don't have a custom GitHub OAuth app configured.
> To completely hide the GitHub sign-in button, you must disable the default provider
> and ensure you don't have a custom GitHub OAuth app configured.

## Step 1: Configure the OAuth application in GitHub

Expand Down Expand Up @@ -95,7 +99,7 @@ Alternatively, if you are running Coder as a system service, you can achieve the
same result as the command above by adding the following environment variables
to the `/etc/coder.d/coder.env` file:

```env
```shell
CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS=true
CODER_OAUTH2_GITHUB_ALLOWED_ORGS="your-org"
CODER_OAUTH2_GITHUB_CLIENT_ID="8d1...e05"
Expand All @@ -105,7 +109,7 @@ CODER_OAUTH2_GITHUB_CLIENT_SECRET="57ebc9...02c24c"
> [!TIP]
> To allow everyone to sign up using GitHub, set:
>
> ```env
> ```shell
> CODER_OAUTH2_GITHUB_ALLOW_EVERYONE=true
> ```

Expand Down Expand Up @@ -149,7 +153,7 @@ This is enabled by default for the default GitHub app and cannot be disabled for

For your own custom GitHub OAuth app, you can enable device flow by setting:

```env
```shell
CODER_OAUTH2_GITHUB_DEVICE_FLOW=true
```

Expand Down
Loading